/ Zope / Apsis / Pound Mailing List / Archive / 2010 / 2010-03 / ClientCert depth of verification levels

[ << ] [ >> ]

[ Feature Request: TLS Vhosts using SNI / Will ... ] [ Clarify procedure for multiple host headers in ... ]

ClientCert depth of verification levels
Chris Morrow <cmorrow(at)verrus.com>
2010-03-01 22:52:45 [ FULL ]
Hi all,

I was unable to find documentation describing exactly what the depth of
verification is doing on the ClientCert parameter. I have a few questions.

1) Does someone have a breakdown of each depth number and what it does? For
example, depth "4" compared to depth "9".

2) Is there a performance hit for each level of additional verification? I
would assume yes, that is why it is broken down so verbosely.
 
3) What is the recommended parameter if there is a need to force and verify
client certificates?

Example HTTPSListener config...

################

ListenHTTPS
        Address 172.16.x.x
        Port    443
        Cert     "certificate file"
        xHTTP   0
        ClientCert 2 9
        CAlist "CAcert_file"
        VerifyList "Verify_file"		
End

################



Thanks,
Chris Morrow

RE: ClientCert depth of verification levels
Chris Morrow <cmorrow(at)verrus.com>
2010-03-02 21:13:05 [ FULL ]
I have answered my own question. Approximately line 895 of config.c ...

case 2:
                /* ask and fail if no client certificate */
                SSL_CTX_set_verify(res->ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
                SSL_CTX_set_verify_depth(res->ctx, atoi(lin +
matches[2].rm_so));
                break;

A coworker familiar with OpenSSL pointed out that "SSL_CTX_set_verify_depth" is
an OpenSSL function. After reading the OpenSSL documentation it became clear
what the Pound depth parameter was doing.

Quote OpenSSL.org/docs:
"SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up to
which depth certificates in a chain are used during the verification procedure.
If the certificate chain is longer than allowed, the certificates above the
limit are ignored. Error messages are generated as if these certificates would
not be present, most likely a X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will
be issued. The depth count is ``level 0:peer certificate'', ``level 1: CA
certificate'', ``level 2: higher level CA certificate'', and so on. Setting the
maximum depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9,
allowing for the peer certificate and additional 9 CA certificates."

Full documentation can be found here: http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

Robert, can you please make a small documentation update to pound(8). My
suggestion:

       ClientCert 0|1|2|3 depth
              Ask for the client's HTTPS certificate: 0 - don't ask (default),
1 - ask, 2 - ask and fail if no certificate was presented, 3 - ask but  do
              not verify. Depth is the depth of verification for a client
certificate (up to 9). The default depth limit is 9, allowing for the peer
certificate and additional 9 CA certificates that must be verified."

I hope this is helpful for anyone else looking to enable client certificate
authentication.

Thanks,
Chris

-----Original Message-----
From: Chris Morrow [mailto:cmorrow(at)verrus.com] 
Sent: Monday, March 01, 2010 1:53 PM
To: pound(at)apsis.ch
Subject: [Pound Mailing List] ClientCert depth of verification levels

Hi all,

I was unable to find documentation describing exactly what the depth of
verification is doing on the ClientCert parameter. I have a few questions.

1) Does someone have a breakdown of each depth number and what it does? For
example, depth "4" compared to depth "9".

2) Is there a performance hit for each level of additional verification? I
would assume yes, that is why it is broken down so verbosely.
 
3) What is the recommended parameter if there is a need to force and verify
client certificates?

Example HTTPSListener config...

################

ListenHTTPS
        Address 172.16.x.x
        Port    443
        Cert     "certificate file"
        xHTTP   0
        ClientCert 2 9
        CAlist "CAcert_file"
        VerifyList "Verify_file"		
End

################



Thanks,
Chris Morrow

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

MailBoxer